v1.8.0

Date: May 12, 2026

Breaking changes

• The DirectResponse body in HTTPFilter now supports Envoy command operators for dynamic content. Existing configurations including the template syntax (%) will be interpolated.
• The 0s timeout in SecurityPolicy is now treated as infinite timeout instead of immediate timeout.
• Fixed EnvoyProxy samplingFraction translation to correctly convert the Gateway API fraction into Envoy’s percentage-based random_sampling field. Existing samplingFraction configurations will now sample 100x more frequently than in previous releases; divide previous values by 100 to preserve prior sampling rates.
• The controller now uses production logging encoder config by default, which provides better output when using JSON encoder.
• SecurityPolicy OIDC now generates a single native envoy.filters.http.oauth2 HTTP filter in the HCM filter chain and moves route-specific OAuth2 configuration to route typed_per_filter_config. This can break existing EnvoyPatchPolicies and extension managers that depend on the previous per-route OAuth2 filter instances or on the old OAuth2 filter configuration shape in the HCM filter chain.
• Merged SecurityPolicy IR/xDS resource names (OIDC, BasicAuth, ExtAuth, JWT) now derive from the policy that contributes the field (parent or route) rather than always using the route-level policy. EnvoyPatchPolicy users who reference those generated names must update their patch targets.

Security updates

New features

• Added support for optional active health check configuration.
• Added support for shadow mode in local rate limiting.
• Added support for MergeType in SecurityPolicy to enable route-level policies to merge with parent Gateway/Listener policies, similar to BackendTrafficPolicy.
• Added egctl config envoy-gateway commands to retrieve Envoy Gateway admin config dumps.
• The DirectResponse body in HTTPFilter now supports Envoy command operators for dynamic content. See https://www.envoyproxy.io/docs/envoy/latest/configuration/observability/access_log/usage#command-operators for more details.
• Added HTTP/2 connection keepalive support to ClientTrafficPolicy and BackendTrafficPolicy.
• Added RoutingType field for BackendTrafficPolicy.
• Added support for configuring weights for locality zones.
• Added support for gRPC-Web settings in ClientTrafficPolicy.
• Added support for Envoy Dynamic Modules.
• Added support for weight in BackendRef API to enable traffic splitting for non-x-route resources.
• Added support for removing headers based on matching criteria (Exact, Prefix, Suffix, RegularExpression) in ClientTrafficPolicy EarlyRequestHeaders and LateResponseHeaders.
• Added support for priorityClassName in KubernetesPodSpec for Envoy Proxy pods.
• Added support for Global rate limit shadow mode.
• Added support for specifying both text (body) and attributes in access log format by making the type field optional.
• Set warning status condition for deprecated fields in xPolicy CRDs.
• Added support for URLRewrite filter on individual backendRefs.
• Added support for custom headers on OTLP exports (metrics, tracing, access logs).
• Added support for custom TLS configuration when pulling WASM code via HTTP or OCI in EnvoyExtensionPolicy.
• Added support for gRPC stats settings in EnvoyProxy.
• Added the PostEndpointsModify extension hook, allowing extensions to modify EDS ClusterLoadAssignments generated by Envoy Gateway before they are sent to Envoy.
• Added support for stream idle timeout in BackendTrafficPolicy.
• Added namespaceOverride support to gateway-helm chart.
• Added support for configuring statusOnError in ExtAuth settings.
• Added support for GeoIP-based authorization on HTTPRoute and GRPCRoute via SecurityPolicy.spec.authorization.rules[*].principal.clientIPGeoLocations, backed by shared GeoIP provider settings in EnvoyProxy.spec.geoIP.
• Added support for retry budget in BackendTrafficPolicy.
• Added support for BackendUtilization load balancing policy in BackendTrafficPolicy.
• Added support for upstream access logs via the Upstream access log type in EnvoyProxy.
• Added support for invert match in CIDR match RateLimit API.
• Added support for ignoring HTTP/1.1 Upgrade requests in ClientTrafficPolicy via http1.ignoredUpgradeTypes.
• Added support for OpenTelemetry sampler configuration for tracing.
• Added support for multiple ExtensionManagers with sequential chaining via a new extensionManagers field in EnvoyGateway configuration.
• Added support for default EnvoyProxy settings on EnvoyGatewaySpec that can be overridden by GatewayClass or Gateway-level EnvoyProxy configurations. A new MergeType field allows choosing between Replace (default), StrategicMerge, or JSONMerge strategies for combining configurations.
• Added support for sending Envoy Gateway route metadata to external authorization backends via SecurityPolicy.spec.extAuth.includeRouteMetadata.
• Added support for cross-namespace policy attachment for ClientTrafficPolicy, BackendTrafficPolicy, EnvoyExtensionPolicy, and SecurityPolicy.
• Added source field to responseOverride rules in BackendTrafficPolicy, allowing rules to target only Envoy-generated responses (Local), only upstream responses (Backend), or both (All, the default). This enables overriding Envoy responses (e.g. auth/rate-limit failures) without affecting legitimate upstream responses with the same status code.
• Added support for path override in ExtAuth HTTP service.
• Added support for bandwidth limiting in BackendTrafficPolicy.
• Added support for defining Envoy Proxy image, pullPolicy, and pullSecrets via the helm chart. Note that to merge these helm-configured values with EnvoyProxy resources, the EnvoyProxy must include mergeType: StrategicMerge or mergeType: JSONMerge.
• Added support for Envoy Admission Control to BackendTrafficPolicy, enabling client-side load shedding based on historical upstream success rates using Envoy’s admission control filter.

Bug fixes

• Fixed local rate limit rules with identical sourceCIDR client selectors producing conflicting descriptors.
• Rejected ClientTrafficPolicy if invalid TLS cipher suites are configured.
• Fixed ClientTrafficPolicy to disable HTTP/3 and surface a warning on the policy when downstream client TLS validation is configured, instead of generating a rejected QUIC listener.
• Fixed validation of XListenerSet certificateRefs.
• Fixed XListenerSet not allowing xRoutes from the same namespace when configured to allow them.
• Fixed API key authentication dropping non-first client IDs when credential Secrets contain multiple keys.
• Fixed X-ENVOY-ORIGINAL-HOST not being set when headers.enableEnvoyHeaders is enabled and hostname rewrite is configured for DynamicResolver type of Backends.
• Fixed standalone mode emitting non-actionable error logs for missing secrets and unsupported ratelimit deletion on every startup.
• Fixed local object reference resolution from parent policy in merged BackendTrafficPolicies.
• Fixed xPolicy resources being processed from all namespaces when NamespaceSelector watch mode is configured in the Kubernetes provider.
• Fixed route and policy status aggregation across multiple GatewayClasses managed by the same controller, so resources preserve status from all relevant parents and ancestors instead of being overwritten by the last processed GatewayClass.
• Fixed route status parent aggregation when the number of parents exceeds the Gateway API cap of 32.
• Made ConnectionLimit.Value optional so users can configure MaxConnectionDuration, MaxRequestsPerConnection, or MaxStreamDuration without setting a max connections value.
• Fixed endpoint hostname not being respected during active health checks.
• Fixed ratelimit deployment missing metrics container port (19001), which prevented PodMonitor/ServiceMonitor from targeting the metrics endpoint.
• Fixed ratelimit ServiceAccount missing standard Kubernetes app labels.
• Fixed GRPCRoute RequestMirror filter backend not being indexed, causing “service not found” errors for mirror targets that exist in the cluster.
• Fixed GRPCRoute not detecting conflicting RequestMirror and DirectResponse filters, which caused the mirror to be silently dropped.
• Fixed BackendTrafficPolicy requestBuffer coexisting with route upgrades by disabling the default WebSocket upgrade on buffered routes and rejecting explicit requestBuffer + httpUpgrade combinations.
• Fixed per-endpoint hostname override not working due to the auto-generated wildcard hostname.
• Fixed Basic Authentication failing when htpasswd secrets use CRLF line endings by normalizing to LF before passing to Envoy.
• Fixed BackendTLSPolicy being ignored when configuring TLS for telemetry backends (access logs, tracing, metrics).
• Fixed client certificate secret never being delivered when exclusively referenced by a SecurityPolicy extAuth/jwt/oidc Backend.
• Fixed xRoutes being incorrectly marked unaccepted when a RequestMirror filter referenced a backend with no endpoints; the route now remains accepted with BackendsAvailable=False, per Gateway API conformance.
• Fixed ws and wss Backend appProtocols to force HTTP/1.1 upstream connections instead of negotiating HTTP/2, avoiding compatibility issues with WebSocket backends that do not support RFC 8441 extended CONNECT.
• Fixed gateway-helm RBAC in GatewayNamespace mode with explicit watch.namespaces list by adding controller-namespace secret read permissions to infra-manager.
• Fixed a control plane panic caused by concurrent Status mutation racing with the watchable Map coalesce goroutine.
• Fixed BackendTrafficPolicy rate limit requests values above uint32 max (4294967295) being silently truncated modulo 2^32 by the rate limit service and Envoy token bucket. The field now rejects such values at admission time with a clear schema validation error.
• Fixed status conditions not being updated when a route is rejected due to multiple errors.
• Fixed spurious development-mode panic log from the gatewayapi translator.
• Fixed SecurityPolicy merge using the wrong policy as the owner for resource references and IR generation.
• Fixed ListenerSet and its listeners incorrectly setting Accepted: False for InvalidCertificateRef and RefNotPermitted, inconsistent with Gateway behavior and the Gateway API spec.
• Fixed active HTTP health checks to use Backend endpoint hostnames before falling back to the effective Route hostname.
• Fixed HTTPS listeners with overlapping hostnames but disjoint certificate SANs to preserve HTTP/2 ALPN by default.
• Removed the spurious cross-namespace policy-attachment warning condition when a ReferenceGrant is missing (#8901).
• Fixed an invalid first listener winning hostname/protocol precedence and causing a later valid listener on the same hostname/port to be marked HostnameConflict (#8577).
• Increased RateLimitSelectCondition.headers MaxItems from 16 to 64, matching the existing HTTPHeaderFilter pattern (#8906).
• Fixed Gateway getting stuck at Programmed=False after its LoadBalancer Service IP was restored, by ignoring LastTransitionTime when comparing status conditions.

Performance improvements

• Reduced chances of listener drain due to Lua policy updates by migrating to LuaPerRoute.
• Reduced Kubernetes API server calls by reusing the cached controller-runtime client from the controller manager for infrastructure reconciliation. In GatewayNamespaceMode, this may slightly increase memory usage due to keeping the infrastructure resources in the cache.
• Enabled deferred stat creation to reduce CPU and memory overhead by creating only the subset of metrics that are actually used at runtime, instead of eagerly initializing all possible stats. More information can be found in the Envoy deferred stat creation documentation.

Deprecations

Other changes

• Moved Envoy Gateway CRDs into a sub-chart to avoid the Helm release secret exceeding the 1MB size limit when adding new API fields. Upgrade/Install behavior is unchanged for users.
• The maximum number of rules in a RateLimit policy is increased from 128 to 256.
• The maximum number of JWT providers allowed in SecurityPolicy.spec.jwt.providers is increased from 4 to 16.
• Added runner_event_total metric to track update and delete events in infrastructure and gateway API runners for improved observability.
• Added common Helm labels to Envoy Gateway RBAC resources.